Privacy

32214 readers
261 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
1
 
 

For example, Signal is a great app to use for private communication but if you use Signal on Windows OS then how private is the communication really? Typical Windows users aren't good at security and Windows users also have a high amount of malware which can spy on the conversations. It was just an example for privacy starts with the hardware.

I have read a lot of people in privacy communities recommend buying older thinkpads and basically anything that Heads supports. The problem is not that they are old, the problem is they are second hand. You don't know what the previous owner have been doing on the laptop and who might have had access to it. Remember, Windows users are typically not good at security and malware spreads commonly in Windows.

If a malware flashes a ROM then you buy their laptop and erase the hdd or ssd or buy a new hdd/ssd, then you flash coreboot to the computer. After all this the malware can still remain in the firmware and you would never know unless the malware makes itself obviously known by a ransom attack or stealing all your crypto or something.

There is nothing you can do to prevent this risk other than avoiding used computers.

Then there's the entirely other debate if it's even worth it for security & privacy to buy an old brick that is supported by Heads. And I'm not experienced enough on that topic yet although I'm learning about it and getting closer to being able to come to my own conclusion with the help of all the experts who have written about it.

These old bricks don't get microcode updates for the CPU which means you will be vulnerable to many Spectre and Meltdown attacks. QubesOS can mitigate it to some degree such as by disabling hyperthreading, but QubesOS can't mitigate it completely, only microcode updates can and these old bricks don't receive them.

But the main point I wanted to make in this topic is about risk with used second hand laptops. Because of that I think it probably is best to buy a new unused laptop. Off the shelf for cash is best but maybe not depending on which country you live in. fed upgrade factories are a thing and some countries have it happening more than others. In that case maybe it's better to order a laptop from one of those laptop vendors who ship it with tamper proof container, although it will be very expensive with taxes/customs but worth it.

2
 
 

It's so difficult with so many options and all these bullshit "discounts", coupled with the fact that different VPNs charge different prices based on what country you're connecting from...

What is the cheapest functional VPN you've come across? Bonus points if it supports IPv6.

3
 
 

Hi guys,

do you know a good and privacy friendly way to pay with your phone (like Google Pay)? I am using Graphene OS on a Pixel 8 and lice in Germany so some services might not be available here 🙈

4
 
 

from the new-breed-of-surveillance-statists dept

5
 
 

Has anyone else received stuff like this?

6
121
submitted 2 days ago* (last edited 2 days ago) by Charger8232@lemmy.ml to c/privacy@lemmy.ml
 
 

Introduction

8 days ago I made this post asking for the most controversial privacy topics. My first post answering a controversial question got so few upvotes that it was almost my worst post to date. I don't do these for upvotes, though. I do them for fun :)

So, with that, here is the second post demystifying some controversial privacy topics. @TranquilTurbulence@lemmy.zip asked "VPN: essential or snake oil?"

I try to avoid topics that have been thoroughly answered multiple times, or has such a direct answer that it would be too short to make a post about. This topic is a bit of both, but worth writing anyway, because I do have my own insights.

Some people didn't like that I break the main question down into multiple sub questions. It is valid criticism, but it's my style of writing, so I will stick to what I'm good at.

What does a VPN do?

A Virtual Private Network (abbreviated "VPN") is a way of proxying your internet traffic through a third party. There are many reasons why you would want this:

Hiding your IP address: VPNs will replace your IP address with a random IP address assigned by the VPN provider. IP addresses are unique to your router, meaning you can be uniquely identified. IP addresses are usually static, meaning it never changes, but sometimes your ISP may assign you a dynamic IP address, which will change every few months or so. If you open up ports on your router (for various purposes), it can leave your network vulnerable to certain attacks as long as the attackers know your public IP address.

Hiding your location: Your IP address can narrow your location down to the city you live in. In some cases, such as shared Wi-Fi (like on a college campus) or public Wi-Fi, the IP address can be more easily identified to the specific block or building you are in. Any internet connection made can see your IP address, and can automatically use that to attempt to locate you.

Encrypting your traffic: VPNs can allow your traffic to be encrypted, so that your ISP or other people connected to the same network can't see which sites you visit or (in some cases) what data is sent. The reasons why this is important are too long to list, but you can work it out on your own.

Network based ad blocking: Some VPN providers allow you to block ads before they even reach your device, which can increase your loading times and save you data on metered connections. This can be achieved without a VPN through your own DNS filters, but it is a feature of VPNs too.

Access blocked content: VPNs can be used as a way to bypass censorship if your network regulates your traffic (such as at an office or school). A VPN can bypass these restrictions, allowing you to access content freely.

Accessing region-specific content: Content on streaming services such as Netflix, video sharing sites such as YouTube, or many other services may restrict what content is available to you based on your country. A VPN can allow you to bypass these restrictions in some cases.

Those can all be ways to enhance your privacy, security, anonymity, and freedom while browsing the internet. VPNs do come with some downsides, though.

What are the downsides of using a VPN?

When you browse the internet without a VPN, you are placing your trust in your ISP or cellular provider to uphold your privacy, and placing trust in the network devices such as your router to uphold your security. In practice, that is almost never the case. Using a VPN doesn't automatically make it more trustworthy, but it does place that trust in the hands of your VPN provider instead. Some VPN providers are more trustworthy than others, but there are good options to choose from. You still have to trust an entity to uphold your privacy and security, but VPNs can be a much better place to keep that trust.

Not everyone may want to use a VPN though. Besides distrust, VPNs have other downsides. VPNs will slow down your internet speeds, may block certain functions such as torrenting, and may incriminate you in some countries. Ultimately, the choice to use a VPN is yours.

If you believe the upsides outweigh the downsides, then a VPN is a good tool to have. If your threat model requires anything a VPN provides, it's an essential tool. Some functions of a VPN can be achieved through careful setup of a DNS and elite anonymity proxy, but VPNs will always be the easiest option.

Which VPN providers are the best?

There are currently 3 top VPN providers for privacy. All of them are open source, and all of them have their pros and cons. I haven't listed every feature for each, but here are the notable differences:

Proton VPN

Proton VPN provides a free tier VPN with some functionality limited, as well as a premium tier if you have a Proton subscription. If you already have a Proton subscription already, and don't mind putting all your eggs in one basket, Proton VPN is a good option.

Mullvad VPN

Mullvad VPN is probably the most private VPN available. It is only paid, but it allows you to pay any way you want, including cash and cryptocurrencies. No signup is required, because you are given a randomly generated account number for payment. You can regenerate the number at any time.

IVPN

IVPN is unique and relatively unknown. The main benefit I see is that it is the only VPN of these three that is available on Accrescent for Android, allowing you to have extra confidence in the integrity of the app. Eventually Mullvad VPN and Proton VPN will be available on Accrescent.

These VPNs will uphold your privacy and security, and won't log your internet traffic. VPNs in the past have been used to aide law enforcement by handing over those logs, so it is good that these don't.

Conclusion

VPNs can be an essential tool if you need them, and there are options that respect your privacy. Always be aware of the risks, no matter how trustworthy a VPN provider may be. Thank you for reading!

- The 8232 Project

7
 
 

I can’t use them because I can’t convince anybody to switch with me. I talk to most people on discord and I’d rather move to using Matrix, but I can’t convince any of my friends or family or anyone I know to use anything else.

8
 
 

I'm thinking of getting a fairphone in the future. I like that they are modular and last a while. Are they easily customizable to where I can flash a different ROM? Is the default configuration private?

9
 
 

They all have iPhones and Google Android. Since all my calls and text messages are monitored on their phones, am I causing any additional harm to myself by using Google Messages on GrapheneOS? That way I could at least use RCS messaging.

10
 
 

If I created a Udemy account with my Gmail, then what's the difference between signing in with email and signing in with Google? Thanks in advance.

11
 
 

I knowledge there is a lot of dns filter available on the internet. I use a lot of them in my pihole system, next dns, and adblocker .But in some way i found that they don't contain a lot of domains. Maybe they are not tracking or ad but i found that if you block them there is no effect. So I'm making a list of them. So do you have your own list? That one i made is too strict most Google services don't work without them but I'm good without it. So i want to know if you known about any of these unnecessary domains. If you known please share for everyone.

12
 
 

I've been play around with ollama. Given you download the model, can you trust it isn't sending telemetry?

13
 
 

Which one will you choose ? Also what you guys think about the adguard https filter in the view of privacy ?

14
 
 

Supposedly, he sells out of his phones but I haven't seen any review or unboxing videos for the Brax 3. I know that you can ask for iodeOS or Ubuntu touch.

15
 
 

This is not a long post, but I wanted to post this somewhere. This may be useful if someone is doing an article about Google or something like that.

While I was changing some things in my server configuration, some user accessed a public folder on my site, I was looking at the access logs of it at the time, everything completely normal up to that point until 10 SECONDS AFTER the user request, a request coming from a Google IP address with Googlebot/2.1; +http://www.google.com/bot.html user-agent hits the same public folder. Then I noticed that the user-agent of the user that accessed that folder was Chrome/131.0.0.0.

I have a subdomain and there is some folders of that subdomain that are actually indexed on the Google search engine, but that specific public folder doesn't appear to be indexed at all and it doesn't show up on searches.

May be that google uses Google Chrome users to discover unindexed paths of the internet and add them to their index?

I know it doesn't sound very shocking because most people here know that Google Chrome is a privacy nightmare and it should be avoided at all times, but I never saw this type of behavior on articles about "why you should avoid Google Chrome" or similar.

I'm not against anyone scrapping the page either since it's public anyways, but the fact they discover new pages of the internet making use of Google Chrome impressed me a little.

Edit: Fixed a typo

16
 
 

Lets try to keep this topic around a basic-intermediate level when you try to explain things.

What I mean in the most simple words is a way for me to know if my laptop or any of the accessories such as charger, mouse, keyboard, camera, mic, etc, have been tampered with while I left them in my hotel room while I went out on some tourist attractions.

Adversary could be a local gang with hackers hired as hotel maid, or the adversary could be a corrupt/over reaching authority/intel who thinks citizens and tourists shouldn't have privacy and if they put a lot of effort into privacy then that means they are extremists and must mean they have something to hide.

I know of 3 ways to check for tampering:

  1. AEM or Trenchboot or Heads.
  2. Glitter nail polish.
  3. A device which monitors your room for intrusion.

If there is proof of tampering then the solution is to destroy the hardware and throw in the trash because it's practically impossible with 100% certainty remove any tampering that was done. Better to buy new hardware.

Now to elaborate on each of the 3 ways...

1, Trenchboot is better than AEM or at least it will become better when it supports TPM 2. The plan is for it to replace AEM completely. So to make this simpler we can keep this discussion about trenchboot vs Heads and leave out AEM.

TPM 2 is good and something we should want depending on how important this method of tamper proof is. Because TPM 1.2 is old and weak encryption.

But I've read so many arguments about Trenchboot vs Heads, it's very difficult to understand everything and requires very deep and advanced knowledge and I just don't know, maybe I just have to keep on reading and learning until I eventually begin to understand more of it.

Glitter nail polish is supposed to make it practically impossible to open up the laptop (removing screws) to access the ROM chip and any other hardware. That makes this method of tamper proof perfect and simple and works on all laptops. But there are vulnerabilities:

USB is not protected by glitter nail polish. And if any malware compromises your system it could flash the ROM.

I don't think the malware is much of a threat if we are using QubesOS because it's too unlikely for the malware to escape the Qube, it would mean a 0-day vulnerability in Xen hypervisor.

But an adversary could easily use a bad usb when they have physical access to the computer and glitter nail polish doesn't detect that. I guess that this is why nail polish isn't sufficient on its own and why we need also either trenchboor or Heads.

One downside of Heads is that it's Static Root of Trust for Measurement (SRTM) which means it only checks for tampering when you boot the computer. But I think if the only threat is a bad usb attack because glitter nail polish protects against everything else that can tamper with the hardware, then this Heads downside of being SRTM doesn't matter.

This could be an app on the smart phone which uses the sensors to check for sound, movement and light changes, vibrations. Or it could be a more professional device as a surveillance camera or motion detector.

This way of tamper proof solves all problems if you assume that someone entering the room means that the hardware has been tampered with. But unfortunately this is not a good assumption to make if you are traveling or sharing accommodation. There are plenty of dumb people who would enter your room even if you told them not to even if they have no malicious intentions and are not an adversary. That means this method would give a lot of false alarms.

But if you are using video surveillance the you would know exactly what they did while in your room and you can clearly see if they even touched your hardware. So, with video surveillance you maybe don't need trenchboot or Heads and glitter nail polish.

Another reason to have this tamper method is in case they put any camera in your room to watch what you're doing or watch your enter passwords. If you have for example a motion detector giving an alarm, you can spend some time looking for hidden cameras. There are cameras that are good for this, I think they are called infrared cameras, they can find the heat which a hidden camera would give.

Summary: You probably want all 3 methods because they complement each others weaknesses. Question remains regarding trenchboot vs Heads in the scenario I've explained here I suspect Heads is a better choice but I am mostly guessing. Maybe I'm not as lost in this rabbit hole as I feel like I am. I hope the more advanced and experienced people can give some comments and help.

Another point I almost forgot to make: This whole scenario is meant to be practical, a realistic lifestyle. For example, it's not realistic for most people to be able to bring all their hardware with them everywhere they go such as work. It also makes you a big target to be robbed if they get a hint of how much valuable equipment you have in your backpack. So this means we are leaving the hardware at home which could be a hotel room or a shared accommodation.

Also last point which I forgot to make as well: The accessories need to be tamper proof as well. I don't know if trenchboot or heads is capable of doing that, such as if they replace the charger or something. Maybe the only way to protect against this is one of two ways:

  1. Bring the accessories with you but leave the computer at "home". This isn't great though because you might not be able to keep your eyes on your backpack at all time.
  2. Have a box filled with lentils which you put the accessories inside when you leave your room. Then you can take before and after picture and compare them to see if the lentils have moved around or not. This would mean we actually have to use 4 methods to keep all hardware tamper proof. It's not so fun to have to pack all accessories into a lentils box every time you leave your room, and check pics of both glitter nail polish and lentils. It's a lot of work but maybe that's the only way?
17
18
19
 
 

Hi,

I'm looking for a E2EE and decentralized (or self hosted) videoconferencing that would have the following feature

  • video or voice-only call
  • share screen
  • files transfer (optional)
  • text chat

( all of it E2EE )

I'm considering Jitsi meet, that seem the meet those requirements

Do you know better alternatives or do you have remarks about Jitsi ?

Thanks.

20
 
 

Mornin' Been wondering if I should install GOS on my Pixel8 or keep my present setup with TC. I'm not conversant with the mechanics behind TC but it feels right to me. I don't use Google Apps and have been on F-Droid more often then Google Play. I do have a few apps which require net access hence using TC.

What say you..?

21
 
 

I am a long term GrapheneOS user and would like to talk about it. r/privacy on the redditland blocks custom OS discussions which I think is very bad for user privacy, and I hope this post will be useful to anyone who are in the hunt for better privacy.

Nowadays smartphones are a much bigger threats to our privacy and Desktop systems, and unfortunately manufacturers has designed them to be locked down devices with no user freedom. You can't just "install Linux" on most smartphones and it is horrible. And most preloaded systems spy on us like crazy. That was why I specifically bought a pixel and loaded GOS onto it.

According to https://grapheneos.org/features , they start from base AOSP's latest version, imptoves upon it's security and significantly hardens it. There's hardened_malloc to.prevent against exploitation, disabling lots of debugging features, disabling USB-c data, hardening the Linux kernel and system apps etc. They even block accessing the hardware identifiers of the phone so that apps cannot detect whqt phone you're using. That means with Tor and zero permissions given, apps are anonymous.

Compatibility with apps are best in Custom ROMs but there are still that can't work, especially if they enforce device integrity. Very few apps usually enforce that tho. Also their community isn't the friendliest but you can get help. Just don't try and engage too much or have too many debates.

Anyone else here use GrapheneOS, or any other privacy ROMs? What is your experience? Do you disagree on any point? Let's have a discussion!

22
 
 

Inspired by the discussion in 'they already have your data' I was reminded that AdNauseam exists. I rarely see it mentioned in privacy circles but the idea seems attractive to me, I've used it before and since it's based on uBlock Origin it was just as effective in adblocking and the "poisoning" itself unobtrusive. How do you guys feel about it? Are there reasons it should be avoided?

23
 
 
24
44
submitted 1 week ago* (last edited 1 week ago) by j4p@lemm.ee to c/privacy@lemmy.ml
 
 

EDIT: Just thanking everyone for the thoughtful responses. Really enjoyed reading everyone's takes here and will definitely think on things moving forward and try various configurations out!

Hi all, interested in your thoughts here. Recently signed up for Proton Unlimited via Black Friday sale mainly for email/VPN/drive. For passwords I've been happy with Bitwarden and DDG for email forwarding (plus you get a duck.com address which is just fun).

If you were me would you move over to ProtonPass to streamline, or keep these things broken up? On one hand I don't want all my eggs in one basket, on the other hand I feel like it means I am trusting my info to one Swiss-based org vs Proton + DDG/Bitwarden which are US based. Plus if I am paying for a service I feel a little less like the product in the long term.

Feel pretty ok with both options as my main objective is de-Googling, but interested to hear what has worked well for others. Appreciate any input!

25
 
 

Up until like a year or two ago, YouTube links always used to be pretty clean. The format was youtube .com/watch?v=[video_ID]. A year or two ago, they started adding a tracking suffix on, so it would be youtube .com/watch?v=[video_ID] &si=[tracking_ID].

Over the last day or so, I've noticed links with a different format, youtube .com/watch?v=[video_ID]&pp=[tracking_ID] - only the pp= string is much longer than the si= string. This can only be because they're including more information in it. What that information is is anyone's guess.

This is basically a PSA to watch YouTube links more carefully, as people are by and large complacent with them (moreso than other links) and never even realised the si= change, let alone this new pp= change.

It could also be that the change to pp= is meant to circumvent communities, like this one, which automatically filter out the si= suffix. They may have decided to address that, then took the opportunity to make their tracking more severe.

view more: next ›